AI Security Review
scanned 3h ago · by lpm-firewall-aiA confirmed install-time hook exists, but the referenced chmod.js file is outside this package and not present in the extracted package. No concrete exfiltration, persistence, destructive behavior, or agent-control mutation is visible in readable package source.
Static reason
One or more suspicious static signals were detected.
Trigger
npm install postinstall
Impact
unresolved install-time behavior or install failure
Mechanism
external lifecycle script reference
Rationale
Static inspection found only package.json and a postinstall hook pointing outside the package; this is suspicious because install-time behavior is not package-local, but no concrete malicious payload is visible. Warn rather than block absent source evidence of exfiltration, destructive action, persistence, or unconsented broad agent control-surface mutation.
Evidence
package.json../../scripts/chmod.js
Decision evidence
public snapshotAI called this Suspicious at 78.0% confidence as Unknown with medium false-positive risk.
Evidence for warning
- package.json defines install-time postinstall: node ../../scripts/chmod.js
- postinstall target is outside this package directory, so its behavior is not inspectable from the package source
- package files list advertises bin/ and README.md but extracted package contains only package.json
Evidence against
- No package source files besides package.json were present in the extracted package
- No network endpoints, credential harvesting, eval/vm/Function, or destructive logic are present in readable package files
- No AI-agent config writes or control-surface mutation are shown in readable source
Behavioral surface
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node ../../scripts/chmod.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node ../../scripts/chmod.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High1 Medium1 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
LowScripts Present